b"                                SOCIAL SECURITY\n                                  Office of the Inspector General\n\n                                       November 8, 2010\n\n\nThe Honorable Michael J. Astrue\nCommissioner\n\n\nThe Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires that the\nSocial Security Administration\xe2\x80\x99s (SSA) Inspector General (IG) or an independent external\nauditor, as determined by the IG, audit SSA's financial statements in accordance with applicable\nstandards. Under a contract monitored by the Office of the Inspector General (OIG), Grant\nThornton, LLP, an independent certified public accounting firm, audited SSA's Fiscal Year (FY)\n2010 financial statements. This letter transmits Grant Thornton\xe2\x80\x99s Independent Auditor\xe2\x80\x99s Report\non the audit of SSA\xe2\x80\x99s FY 2010 financial statements. Grant Thornton's Report includes the\nfollowing:\n\n   \xe2\x80\xa2   Opinion on Financial Statements;\n   \xe2\x80\xa2   Opinion on Management's Assertion about the Effectiveness of Internal Control; and\n   \xe2\x80\xa2   Report on Compliance and Other Matters.\n\nObjective of a Financial Statement Audit\n\nThe objective of a financial statement audit is to determine whether the financial statements are\nfree of material misstatement. An audit includes examining, on a test basis, evidence supporting\nthe amounts and disclosures in the financial statements. An audit also includes assessing the\naccounting principles used and significant estimates made by management as well as evaluating\nthe overall financial statement presentation.\n\nGrant Thornton\xe2\x80\x99s audit was conducted in accordance with auditing standards generally accepted\nin the United States; Government Auditing Standards issued by the Comptroller General of the\nUnited States; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements. The audit included obtaining an understanding\nof the internal control, testing and evaluating the design and operating effectiveness of the\ninternal control, and performing such other procedures as considered necessary under the\ncircumstances. Because of inherent limitations in any internal control, misstatements because of\nerror or fraud may occur and not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s\nprograms and operations, especially within the Supplemental Security Income program. In our\nopinion, people outside the organization perpetrate most of the fraud against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with\nLaws and Regulations\n\nOIG audited SSA\xe2\x80\x99s FY 2009 financial statements and issued an unqualified opinion on the\nstatements. In its audit of the FY 2010 financial statements, Grant Thornton issued an\nunqualified opinion. Grant Thornton also reported that SSA had effective internal control over\nfinancial reporting based on criteria under OMB Circular A-123, Management\xe2\x80\x99s Responsibility\nfor Internal Control and SSA\xe2\x80\x99s financial management systems substantially complied with the\nrequirements of the Federal Financial Management Improvement Act of 1996.\n\n\n            SOCIAL SECURITY ADMINISTRATION               BALTIMORE MD 21235-0001\n\x0cPage 2 \xe2\x80\x93 The Honorable Michael J. Astrue\n\nHowever, Grant Thornton did identify three deficiencies in internal control that, when\naggregated, are considered to be a significant deficiency related to a weakness in controls over\ninformation security. Specifically, Grant Thornton testing:\n\n   1. Disclosed that policies and procedures to reassess periodically the content of security\n      access profiles had not been complied with consistently throughout the Agency.\n   2. Disclosed evidence that security permissions provided to some employees and\n      contractors were in excess of access required to complete their job responsibilities.\n   3. Identified configurations that increased the risk of unauthorized access to key financial\n      data and programs during our testing of the mainframe operating system\n\nGrant Thornton identified no reportable instances of noncompliance with the laws, regulations,\nor other matters tested.\n\nOIG Evaluation of Grant Thornton Audit Performance\n\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality\nof the audit work performed, we monitored Grant Thornton\xe2\x80\x99s audit of SSA's FY 2010 financial\nstatements by\n\n   \xe2\x80\xa2   reviewing Grant Thornton\xe2\x80\x99s approach and planning of the audit;\n   \xe2\x80\xa2   evaluating the qualifications and independence of its auditors;\n   \xe2\x80\xa2   monitoring the progress of the audit at key points;\n   \xe2\x80\xa2   examining its workpapers related to planning the audit, assessing SSA's internal control,\n       and substantive testing;\n   \xe2\x80\xa2   reviewing Grant Thornton\xe2\x80\x99s audit report to ensure compliance with Government Auditing\n       Standards and OMB Bulletin No. 07-04;\n   \xe2\x80\xa2   coordinating the issuance of the audit report; and\n   \xe2\x80\xa2   performing other procedures we deemed necessary.\nGrant Thornton is responsible for the enclosed auditor\xe2\x80\x99s report, dated November 8, 2010, and the\nopinions and conclusions expressed therein. The OIG is responsible for technical and\nadministrative oversight regarding Grant Thornton\xe2\x80\x99s performance under the terms of the\ncontract. Our review, as differentiated from an audit in accordance with applicable auditing\nstandards, was not intended to enable us to express, and accordingly we do not express, an\nopinion on SSA\xe2\x80\x99s financial statements, management\xe2\x80\x99s assertions about the effectiveness of its\ninternal control over financial reporting, or SSA\xe2\x80\x99s compliance with certain laws and regulations.\nHowever, our monitoring review, as qualified above, disclosed no instances where Grant\nThornton did not comply with applicable auditing standards.\n\n\n\n\n                                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                                             Inspector General\n\nEnclosure\n\x0c                                                                                                   Enclosure\n                                                                                                  Page 1 of 5\n\n\n\n\n                                                                          Audit \xef\x82\x96 Tax \xef\x82\x96 Advisory\n                                                                          Grant Thornton LLP\n                                                                          333 John Carlyle Street, Suite 500\n                                                                          Alexandria, VA 22314-5745\n                                                                          T 703.837.4400\n                                                                          F 703.837.4455\n                                                                          www.grantthornton.com\n\n\nThe Honorable Michael J. Astrue\nCommissioner\nSocial Security Administration\n\n                          Independent Auditor\xe2\x80\x99s Report\n\nIn our audit of the Social Security Administration (SSA), we found:\n\n   \xe2\x80\xa2   The consolidated balance sheet of SSA as of September 30, 2010, and the related\n       consolidated statement of net cost and changes in net position, and the combined\n       statement of budgetary resources for the year then ended and the statement of social\n       insurance as of January 1, 2010 are presented fairly, in all material respects, in\n       conformity with accounting principles generally accepted in the United States of\n       America;\n   \xe2\x80\xa2   Management fairly stated that SSA\xe2\x80\x99s internal control over financial reporting was\n       operating effectively as of September 30, 2010;\n   \xe2\x80\xa2   No reportable instances of noncompliance with laws, regulations or other matters tested.\nOPINION ON FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheet of the SSA as of September 30,\n2010, and the related consolidated statement of net cost and changes in net position, and the\ncombined statement of budgetary resources for the year then ended, and the statement of social\ninsurance as of January 1, 2010. These financial statements are the responsibility of SSA\xe2\x80\x99s\nmanagement. Our responsibility is to express an opinion on these financial statements based on\nour audit.\n\nThe consolidated balance sheet of SSA as of September 30, 2009, and the related consolidated\nstatement of net cost and changes in net position, and the combined statement of budgetary\nresources for the year then ended were audited by other auditors whose report dated November 9,\n2009 expressed an unqualified opinion on those statements. The statements of social insurance\nas of January 1, 2009, 2008, 2007, and 2006 were also audited by other auditors whose reports\ndated November 9, 2009 and November 7, 2008 expressed an unqualified opinion on those\nstatements.\n\nWe conducted our audit in accordance with auditing standards generally accepted in the United\nStates of America; the standards applicable to financial audits contained in Government Auditing\n\x0c                                                                                           Enclosure\n                                                                                          Page 2 of 5\n\nStandards, issued by the Comptroller General of the United States; and Office of Management\nand Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements.\nThose standards require that we plan and perform the audit to obtain reasonable assurance about\nwhether the financial statements are free of material misstatement. An audit includes examining,\non a test basis, evidence supporting the amounts and disclosures in the financial statements. An\naudit also includes assessing the accounting principles used and significant estimates made by\nmanagement, as well as evaluating the overall financial statement presentation. We believe that\nour audit provides a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above and presented on pages 100 through\n130 of this Performance and Accountability Report (PAR), present fairly, in all material respects,\nthe financial position of SSA as of September 30, 2010, and its net cost of operations, changes in\nnet position, and budgetary resources for the year then ended, and the financial condition of its\nsocial insurance program as of January 1, 2010, in conformity with accounting principles\ngenerally accepted in the United States of America.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and\ncombined financial statements taken as a whole. The Additional Information presented on the\nstatement of social insurance as of January 1, 2010 is presented for purposes of additional\nanalysis and is not a required part of the consolidated and combined financial statements. Such\ninformation has been subjected to the auditing procedures applied in the audit of the consolidated\nand combined financial statements and, in our opinion, is fairly stated in all material respects in\nrelation to the consolidated and combined financial statements taken as a whole.\n\nAs discussed in Note 17 to the financial statements, the statement of social insurance presents the\nactuarial present value of the SSA's estimated future income to be received from or on behalf of\nthe participants and estimated future expenditures to be paid to or on behalf of participants\nduring a projection period sufficient to illustrate long-term sustainability of the social insurance\nprogram. In preparing the statement of social insurance, management considers and selects\nassumptions and data that it believes provide a reasonable basis for the assertions in the\nstatements. However, because of the large number of factors that affect the statement of social\ninsurance and the fact that future events and circumstances cannot be known with certainty, there\nwill be differences between the estimates in the statement of social insurance and the actual\nresults, and those differences may be material.\nOPINION ON MANAGEMENT\xe2\x80\x99S ASSERTION ABOUT THE\nEFFECTIVENESS OF INTERNAL CONTROL\nWe have also audited management\xe2\x80\x99s assertion, included in the accompanying Federal\nManagers\xe2\x80\x99 Financial Integrity Act (FMFIA) Assurance Statement on page 43 of this PAR that\nSSA\xe2\x80\x99s internal control over financial reporting was operating effectively as of September 30,\n2010 based on criteria established under OMB Circular No. A-123, Management\xe2\x80\x99s\nResponsibility for Internal Control. We did not test all internal controls, relevant to the\noperating objectives broadly, defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\nSSA\xe2\x80\x99s management is responsible for maintaining effective internal control over financial\nreporting and for its assertion of the operating effectiveness of internal control over financial\nreporting. Our responsibility is to express an opinion on management\xe2\x80\x99s assertion based on our\naudit.\n\nWe conducted our audit in accordance with attestation standards established by the American\nInstitute of Certified Public Accountants (AICPA); the standards applicable to financial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and OMB Bulletin No. 07-04. Those standards require that we plan and perform the audit\nto obtain reasonable assurance about whether effective internal control over financial reporting\n\x0c                                                                                            Enclosure\n                                                                                           Page 3 of 5\n\nwas maintained in all material respects. Our audit included obtaining an understanding of\ninternal control over financial reporting, assessing the risk that a material weakness exists,\ntesting and evaluating the design and operating effectiveness of internal control based on the\nassessed risk, and performing such other procedures as we considered necessary in the\ncircumstances. We believe that our audit provides a reasonable basis for our opinion.\n\nAn agency\xe2\x80\x99s internal control over financial reporting is a process effected by those charged with\ngovernance, management, and other personnel, designed to provide reasonable assurance\nregarding the preparation of reliable financial statements in accordance with generally accepted\naccounting principles. An agency\xe2\x80\x99s internal control over financial reporting includes those\npolicies and procedures that (1) pertain to the maintenance of records that, in reasonable detail,\naccurately and fairly reflect the transactions and dispositions of the assets of the agency;\n(2) provide reasonable assurance that transactions are recorded as necessary to permit\npreparation of financial statements in accordance with generally accepted accounting principles,\nand that receipts and expenditures of the agency are being made only in accordance with\nauthorizations of management and those charged with governance; and (3) provide reasonable\nassurance regarding prevention, or timely detection and correction of unauthorized acquisition,\nuse, or disposition of the agency\xe2\x80\x99s assets that could have a material effect on the financial\nstatements.\n\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate.\n\nIn our opinion, management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s internal control over financial reporting was\noperating effectively as of September 30, 2010, is fairly stated, in all material respects based on\ncriteria established under OMB Circular No. A-123.\nOther Internal Control Matters\nOur work identified the need to improve certain internal controls, as described below and in a\nseparate, limited-distribution management letter. A deficiency in internal control over financial\nreporting exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and\ncorrect misstatements on a timely basis. A material weakness is a deficiency, or combination of\ndeficiencies, in internal control over financial reporting, such that there is a reasonable\npossibility that a material misstatement of the agency\xe2\x80\x99s financial statements will not be\nprevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or\na combination of deficiencies, in internal control over financial reporting that is less severe than\na material weakness, yet important enough to merit attention by those charged with governance.\nOur audit was not designed to identify all deficiencies in internal control over financial reporting\nthat might be significant deficiencies. We identified the following deficiencies that we consider,\nin combination, to be a significant deficiency in SSA\xe2\x80\x99s internal control over financial reporting.\nSignificant Deficiency\nWeakness in Controls Over Information Security\nOur testing disclosed that policies and procedures to periodically reassess the content of security\naccess profiles had not been complied with consistently throughout the Agency. Our testing also\ndisclosed evidence that security permissions provided to some employees and contractors were\nin excess of access required to complete their job responsibilities. Additionally, we identified\nconfigurations that increased the risk of unauthorized access to key financial data and programs\nduring our testing of the mainframe operating system.\n\x0c                                                                                        Enclosure\n                                                                                       Page 4 of 5\n\nSpecific disclosure of detailed information about these exposures might further compromise\ncontrols and are therefore not provided within this report. Rather, the specific details of\nweaknesses noted are presented in a separate, limited-distribution management letter.\n\nRecommendations\n\nWe recommend that SSA management implement policies and procedures that require a periodic\nreview of the content of all security profiles. These policies and procedures should enforce a\nconsistent approach for profile review and should require auditable artifacts to evidence the\ncompletion of these reviews. If designed appropriately and implemented effectively,\nmanagement should be able to decrease the risk of personnel and contractors maintaining\nexcessive access to transactions and data.\n\nWe also recommend that management implement controls to test and monitor configurations on\nthe mainframe to identify and address inherent security risks. This should include a\ncomprehensive procedure to test new software and updates to existing software on the\nmainframe prior to implementation. Management must also implement procedures that require\non-going monitoring of implemented mainframe configurations to identify and address security\nrisks.\n\nMore specific recommendations focused on the individual exposures we identified are included\nin a separate limited-distribution management letter, which also includes management\xe2\x80\x99s response\nand their planned corrective actions.\nREPORT ON COMPLIANCE AND OTHER MATTERS\nThe management of SSA is responsible for compliance with laws and regulations. As part of\nobtaining reasonable assurance about whether the financial statements are free of material\nmisstatement, we performed tests of the compliance with laws and regulations, including laws\ngoverning the use of budgetary authority, government-wide policies and laws identified in\nAppendix E of OMB Bulletin No. 07-04, and other laws and regulations, noncompliance with\nwhich could have a direct and material effect on the financial statements. Under the Federal\nFinancial Management Improvement Act of 1996 (FFMIA), we are required to report whether\nthe SSA\xe2\x80\x99s financial management systems substantially comply with the Federal financial\nmanagement systems requirements, applicable Federal accounting standards, and the United\nStates Government Standard General Ledger at the transaction level. To meet this requirement,\nwe performed tests of compliance with FFMIA section 803(a) requirements.\n\nWe did not test compliance with all laws and regulations applicable to SSA. We limited our tests\nof compliance to the provisions of laws and regulations cited in the preceding paragraph of this\nreport. Providing an opinion on compliance with those provisions was not an objective of our\naudit, and accordingly, we do not express such an opinion.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with laws and\nregulations or other matters that are required to be reported under Government Auditing\nStandards or OMB Bulletin No. 07-04 and no instances of substantial noncompliance that are\nrequired to be reported under FFMIA.\n\x0c                                                                                          Enclosure\n                                                                                         Page 5 of 5\n\nOTHER INFORMATION\nThe Management\xe2\x80\x99s Discussion and Analysis (MD&A) included on pages 5 through 46 and the\nRequired Supplementary Information (RSI) included on pages 136 through 151 of this PAR are\nnot a required part of the consolidated and combined financial statements but are supplementary\ninformation required by the Federal Accounting Standards Advisory Board and OMB Circular\nNo. A-136, Financial Reporting Requirements. We have applied certain limited procedures,\nwhich consisted principally of inquiries of management regarding the methods of measurement\nand presentation of the MD&A and RSI. However, we did not audit the information and express\nno opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and\ncombined financial statements taken as a whole. The Schedule of Budgetary Resources included\non page 135 of this PAR is not a required part of the consolidated and combined financial\nstatements but is supplementary information required by OMB Circular No. A-136. This\nschedule and the consolidating and combining information included on pages 131 to 134 of this\nPAR are not a required part of the consolidated and combined financial statements. Such\ninformation has been subjected to the auditing procedures applied in the audit of the consolidated\nand combined financial statements and, in our opinion, is fairly stated in all material respects in\nrelation to the consolidated and combined financial statements taken as a whole.\n\nThe Commissioner\xe2\x80\x99s Message on page 1 and the other accompanying information included on\npages 2 through 4, 47 through 96 and 163 to the end of this PAR is presented for purposes of\nadditional analysis and is also not a required part of the financial statements. Such information\nhas not been subjected to the auditing procedures applied in the audit of the consolidated and\ncombined financial statements, and accordingly, we express no opinion on it.\n\nOur report is intended solely for the information and use of management of SSA, the Office of\nthe Inspector General, the OMB, the Government Accountability Office, and Congress and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nAlexandria, Virginia\nNovember 8, 2010\n\x0c"